Alere Home Monitoring, which provides in home anti-coagulation monitoring services and related products, experienced a security breach on Sept 23 when a password protected laptop containing unencrypted records for more than 100,000 patients was stolen from an employee's car. The patient record data on the laptop contained the names, addresses, social security numbers, date of births, and diagnoses of Alere patients - equivalent to an identity thief’s jackpot. Alere notified affected customers stating, “We have no evidence that any of your information has been disclosed or misused as a result of this incident.” Doug Guarino, director of corporate relations for Alere, optimistically stated that, “We don’t think (the thief) was going after data, the data wasn’t supposed to be there (on the laptop).”
Analysis:
This incident contains numerous missing IT controls. First, the laptop was obviously left unsecured while in the car. A physical protection measure such as a cable lock might have prevented the theft. Though specific details about the theft are not available, one can conclude that Alere needs to improve its policy on the use of equipment while off premises. Second, Alere noted that the laptop was password protected. From the available information, I have a hunch that the password protection on the laptop is vulnerable to hacking measures since there is no indication from Alere otherwise. A biometric authentication control in addition to the password protected would have provided defense-in-depth. Alere should reexamine its password protection policy in order to better assure the public that their equipment is secure. Third, Alere failed to encrypt more than 100,000 patient records on the stolen laptop. This is an inexcusable IT security failure. Without a doubt, Alere needs to overhaul its data security policy which should require encryption on all sensitive data stored on laptops. Last but not least, it appears from Doug Guarino’s comment - regarding how the data was not supposed to be on the laptop - that the entire security breach could have been avoided entirely if protocol had been followed. Alere needs to enforce controls which maintain secure placement of discreet information. Alere must take corrective countermeasures against the missing controls discussed in order to recover from this IT security compromise.
Alere Home Monitoring, which provides in home anti-coagulation monitoring services and related products, experienced a security breach on Sept 23 when a password protected laptop containing unencrypted records for more than 100,000 patients was stolen from an employee's car. The patient record data on the laptop contained the names, addresses, social security numbers, date of births, and diagnoses of Alere patients - equivalent to an identity thief’s jackpot. Alere notified affected customers stating, “We have no evidence that any of your information has been disclosed or misused as a result of this incident.” Doug Guarino, director of corporate relations for Alere, optimistically stated that, “We don’t think (the thief) was going after data, the data wasn’t supposed to be there (on the laptop).”
Analysis:
This incident contains numerous missing IT controls. First, the laptop was obviously left unsecured while in the car. A physical protection measure such as a cable lock might have prevented the theft. Though specific details about the theft are not available, one can conclude that Alere needs to improve its policy on the use of equipment while off premises. Second, Alere noted that the laptop was password protected. From the available information, I have a hunch that the password protection on the laptop is vulnerable to hacking measures since there is no indication from Alere otherwise. A biometric authentication control in addition to the password protected would have provided defense-in-depth. Alere should reexamine its password protection policy in order to better assure the public that their equipment is secure. Third, Alere failed to encrypt more than 100,000 patient records on the stolen laptop. This is an inexcusable IT security failure. Without a doubt, Alere needs to overhaul its data security policy which should require encryption on all sensitive data stored on laptops. Last but not least, it appears from Doug Guarino’s comment - regarding how the data was not supposed to be on the laptop - that the entire security breach could have been avoided entirely if protocol had been followed. Alere needs to enforce controls which maintain secure placement of discreet information. Alere must take corrective countermeasures against the missing controls discussed in order to recover from this IT security compromise.